topic Re: Securing console from single user boot in Operating System - HP-UX

Securing console from single user boot

Alan Edwards — Tue, 15 Oct 2002 15:27:02 GMT

Is it possible to secure the console from booting into single user mode unless you know the root password?

The specific systems I am using are J series workstations.

Re: Securing console from single user boot

Sandip Ghosh — Tue, 15 Oct 2002 15:33:38 GMT

It is not possible to secure the single user boot-up. Because when you boot up in single user mode it does not ask for any password.

Sandip

Re: Securing console from single user boot

Ted Ellis_2 — Tue, 15 Oct 2002 15:36:42 GMT

I am not sure if this is compatible... but it is certainly something that may be worth looking into. You could get rid of the "local" console and replace with a web console. To access the console you can configure an additional log-in with password. Not fool proof, as someone could hook up a local monitor and reboot the box anyway, but it makes it more difficult... and nice to have that web-console for remote operations... something to consider

Ted

Re: Securing console from single user boot

S.K. Chan — Tue, 15 Oct 2002 15:37:06 GMT

Only if you convert your workstation to truted mode. With trusted you can configure (in SAM) it in such a way that when the system boots up in single user mode a login is required. Typically when booting the system in single user mode you'll see something like "boot authentication" required (kindda like a login prompt).

Re: Securing console from single user boot

Bill Hassell — Tue, 15 Oct 2002 15:37:24 GMT

Actually, there is a way to secure single user mode: convert to a Trusted System. One of the policies in Trusted is to require root password to get a shell prompt.

Otherwise, to secure the system from single user mode attacks, the computer and (all) console access must be physically protected with locked doors, etc.

Re: Securing console from single user boot

Alan Edwards — Tue, 15 Oct 2002 15:43:31 GMT

I know; that is why I am asking. In the back of my mind I remember an HP reference to a "Secure Console boot".

This can be done on other UNIX's, for example Linux. If HP cannot, is a security hole as workstations are typically on a desk, not in a secure computer room.

Re: Securing console from single user boot

Alan Edwards — Tue, 15 Oct 2002 15:45:25 GMT

Wow, many responses, much appreciated.

One comment, these are workstations on desks, the console is a 21??? monitor the user uses, so I can???t turn it off.

Re: Securing console from single user boot

S.K. Chan — Tue, 15 Oct 2002 15:49:22 GMT

We had quite an extensive discusson back in May. You may want to read this ..
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x6c118f960573d611abdb0090277a778c,00.html

Re: Securing console from single user boot

Alan Edwards — Tue, 15 Oct 2002 15:50:31 GMT

I'm not sure I can do trusted mode, we use NIS for user authentication.

Re: Securing console from single user boot

Bill Hassell — Tue, 15 Oct 2002 17:01:00 GMT

Correct. NIS defeats the whole purpose of a Trusted system by sending the encrypted password across the network. A Trusted system uses a shadow password technique. There is an NIS+ standard which does provide encryption for the commuinication but it is totally incompatible with plain NIS, thus all clients must support NIS+ before switching.

Workstations are always a problem due to lack of physical security. The night crew that cleans the floor is a perfect cover to tap on keyboards when no one is looking. The best way to secure the data is over the network. The screen lockout prevents access in multiuser mode, and in single user mode, it is impossible to do any networking. Of course, NFS brings it's own set of problems...

Re: Securing console from single user boot

Alan Edwards — Tue, 15 Oct 2002 17:39:31 GMT

Hi Bill, I agree, there is not much that can be done.

After rethinking this, I don???t think this is a problem that needs fixing after all. We do have all user data and applications on NFS or AFS shares, so there isn't anything locally.

If someone did bring a system to single user mode they couldn???t get to anything on the network, and I can re-ignite the system in 45 minutes.

Thanks, everybody

Re: Securing console from single user boot

Steffen Jaiser — Wed, 16 Oct 2002 13:51:40 GMT

Hi,
I'm not so sure about the security. True, that you can't access the network in single user mode, but what hinders you to choose files first in the nsswitch.conf (before NIS) and change the root password. Then you could execute an init 4 login as root and su to any user you want (Though I'm not 100% sure if NIS allows this) and open up a NFS connection this user is allowed to.
I think there was a switch in the boot menu that allowed to disable the interuption of the bootup. though I don't really know if the J-Class still has something like this and it would also be not 100% sure.
Hope it helped.